diff --git a/base/default.nix b/base/default.nix
index 83a6be7..031f5d0 100644
--- a/base/default.nix
+++ b/base/default.nix
@@ -71,8 +71,6 @@
     fi
   '';
 
-  # security.lockKernelModules = true;
-  security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never
diff --git a/base/hardening.nix b/base/hardening.nix
index 9e163f3..588b8fd 100644
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -58,4 +58,7 @@
     "nfc"
     "soundwire"
   ];
+
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
 }